Re: new warnings produced by task under Open JDK 17-ea+28-2534
Thanks, Jaikiran, for taking this issue to security-dev and for making changes to ant to reduce the amount of noise. On 6/28/21 10:22 AM, Jaikiran Pai wrote: I spent some time on this today and experimented with some sample build scripts and I noticed that these warning messages are a lot more intrusive in their current form than what I had initially thought or noticed. Based on your and one other user's inputs so far, I've raised a discussion in security-dev mailing list of OpenJDK, explaining how this is currently impacting Ant project and some potential ways to reduce this impact. The discussion thread is here https://mail.openjdk.java.net/pipermail/security-dev/2021-June/026660.html -Jaikiran On 28/06/21 8:22 pm, Rick Hillegas wrote: Thanks for that explanation, Jaikiran. On 6/27/21 8:29 PM, Jaikiran Pai wrote: Hello Rick, Thank you for this report. We have been watching this area and have been aware of this issue, including one other user report[1]. I'm just waiting for things to become a bit more clear on this front before coming up with any proposal in the Ant project on how to deal with this. Clearly our permissions[2] type and the whole security manager based implementation will be impacted and needs a rethink. For the java task, we by default apply certain permissions when run without "fork". That's what is triggering this warning. It has been there in the build 26 EA of JDK 17 as well - of course, that version didn't include the exact class which was calling the System.setSecurityManager. That additional detail got included recently[3]. [1] https://bz.apache.org/bugzilla/show_bug.cgi?id=65381 [2] http://ant.apache.org/manual/Types/permissions.html [3] https://github.com/openjdk/jdk17/pull/13 -Jaikiran On 27/06/21 11:22 pm, Rick Hillegas wrote: Open JDK 17 build 17-ea+28-2534 causes the ant 1.10.6 task to produce the following warnings when you DON'T fork the JVM: WARNING: A terminally deprecated method in java.lang.System has been called WARNING: System::setSecurityManager has been called by org.apache.tools.ant.types.Permissions (file:/opt/ant/lib/ant.jar) For more information, see https://issues.apache.org/jira/browse/DERBY-7110?focusedCommentId=17370259=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17370259 and https://issues.apache.org/jira/browse/DERBY-7110?focusedCommentId=17370302=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17370302 - To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org For additional commands, e-mail: dev-h...@ant.apache.org - To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org For additional commands, e-mail: dev-h...@ant.apache.org - To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org For additional commands, e-mail: dev-h...@ant.apache.org
Re: new warnings produced by task under Open JDK 17-ea+28-2534
I spent some time on this today and experimented with some sample build scripts and I noticed that these warning messages are a lot more intrusive in their current form than what I had initially thought or noticed. Based on your and one other user's inputs so far, I've raised a discussion in security-dev mailing list of OpenJDK, explaining how this is currently impacting Ant project and some potential ways to reduce this impact. The discussion thread is here https://mail.openjdk.java.net/pipermail/security-dev/2021-June/026660.html -Jaikiran On 28/06/21 8:22 pm, Rick Hillegas wrote: Thanks for that explanation, Jaikiran. On 6/27/21 8:29 PM, Jaikiran Pai wrote: Hello Rick, Thank you for this report. We have been watching this area and have been aware of this issue, including one other user report[1]. I'm just waiting for things to become a bit more clear on this front before coming up with any proposal in the Ant project on how to deal with this. Clearly our permissions[2] type and the whole security manager based implementation will be impacted and needs a rethink. For the java task, we by default apply certain permissions when run without "fork". That's what is triggering this warning. It has been there in the build 26 EA of JDK 17 as well - of course, that version didn't include the exact class which was calling the System.setSecurityManager. That additional detail got included recently[3]. [1] https://bz.apache.org/bugzilla/show_bug.cgi?id=65381 [2] http://ant.apache.org/manual/Types/permissions.html [3] https://github.com/openjdk/jdk17/pull/13 -Jaikiran On 27/06/21 11:22 pm, Rick Hillegas wrote: Open JDK 17 build 17-ea+28-2534 causes the ant 1.10.6 task to produce the following warnings when you DON'T fork the JVM: WARNING: A terminally deprecated method in java.lang.System has been called WARNING: System::setSecurityManager has been called by org.apache.tools.ant.types.Permissions (file:/opt/ant/lib/ant.jar) For more information, see https://issues.apache.org/jira/browse/DERBY-7110?focusedCommentId=17370259=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17370259 and https://issues.apache.org/jira/browse/DERBY-7110?focusedCommentId=17370302=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17370302 - To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org For additional commands, e-mail: dev-h...@ant.apache.org - To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org For additional commands, e-mail: dev-h...@ant.apache.org - To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org For additional commands, e-mail: dev-h...@ant.apache.org
Re: new warnings produced by task under Open JDK 17-ea+28-2534
Thanks for that explanation, Jaikiran. On 6/27/21 8:29 PM, Jaikiran Pai wrote: Hello Rick, Thank you for this report. We have been watching this area and have been aware of this issue, including one other user report[1]. I'm just waiting for things to become a bit more clear on this front before coming up with any proposal in the Ant project on how to deal with this. Clearly our permissions[2] type and the whole security manager based implementation will be impacted and needs a rethink. For the java task, we by default apply certain permissions when run without "fork". That's what is triggering this warning. It has been there in the build 26 EA of JDK 17 as well - of course, that version didn't include the exact class which was calling the System.setSecurityManager. That additional detail got included recently[3]. [1] https://bz.apache.org/bugzilla/show_bug.cgi?id=65381 [2] http://ant.apache.org/manual/Types/permissions.html [3] https://github.com/openjdk/jdk17/pull/13 -Jaikiran On 27/06/21 11:22 pm, Rick Hillegas wrote: Open JDK 17 build 17-ea+28-2534 causes the ant 1.10.6 task to produce the following warnings when you DON'T fork the JVM: WARNING: A terminally deprecated method in java.lang.System has been called WARNING: System::setSecurityManager has been called by org.apache.tools.ant.types.Permissions (file:/opt/ant/lib/ant.jar) For more information, see https://issues.apache.org/jira/browse/DERBY-7110?focusedCommentId=17370259=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17370259 and https://issues.apache.org/jira/browse/DERBY-7110?focusedCommentId=17370302=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17370302 - To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org For additional commands, e-mail: dev-h...@ant.apache.org - To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org For additional commands, e-mail: dev-h...@ant.apache.org
Re: new warnings produced by task under Open JDK 17-ea+28-2534
Hello Rick, Thank you for this report. We have been watching this area and have been aware of this issue, including one other user report[1]. I'm just waiting for things to become a bit more clear on this front before coming up with any proposal in the Ant project on how to deal with this. Clearly our permissions[2] type and the whole security manager based implementation will be impacted and needs a rethink. For the java task, we by default apply certain permissions when run without "fork". That's what is triggering this warning. It has been there in the build 26 EA of JDK 17 as well - of course, that version didn't include the exact class which was calling the System.setSecurityManager. That additional detail got included recently[3]. [1] https://bz.apache.org/bugzilla/show_bug.cgi?id=65381 [2] http://ant.apache.org/manual/Types/permissions.html [3] https://github.com/openjdk/jdk17/pull/13 -Jaikiran On 27/06/21 11:22 pm, Rick Hillegas wrote: Open JDK 17 build 17-ea+28-2534 causes the ant 1.10.6 task to produce the following warnings when you DON'T fork the JVM: WARNING: A terminally deprecated method in java.lang.System has been called WARNING: System::setSecurityManager has been called by org.apache.tools.ant.types.Permissions (file:/opt/ant/lib/ant.jar) For more information, see https://issues.apache.org/jira/browse/DERBY-7110?focusedCommentId=17370259=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17370259 and https://issues.apache.org/jira/browse/DERBY-7110?focusedCommentId=17370302=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17370302 - To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org For additional commands, e-mail: dev-h...@ant.apache.org - To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org For additional commands, e-mail: dev-h...@ant.apache.org
new warnings produced by task under Open JDK 17-ea+28-2534
Open JDK 17 build 17-ea+28-2534 causes the ant 1.10.6 task to produce the following warnings when you DON'T fork the JVM: WARNING: A terminally deprecated method in java.lang.System has been called WARNING: System::setSecurityManager has been called by org.apache.tools.ant.types.Permissions (file:/opt/ant/lib/ant.jar) For more information, see https://issues.apache.org/jira/browse/DERBY-7110?focusedCommentId=17370259=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17370259 and https://issues.apache.org/jira/browse/DERBY-7110?focusedCommentId=17370302=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-17370302 - To unsubscribe, e-mail: dev-unsubscr...@ant.apache.org For additional commands, e-mail: dev-h...@ant.apache.org
